A common issue I observe when reviewing risk & compliance frameworks is the absence of a logical flow.
Risk & compliance should be managed in a systematic manner ensuring that nothing is missed & no gaps emerge.
The purpose of compliance is to protect. Protect the business, its people, stakeholders & customers. To do this, all component parts must work in sync.
𝙏𝙝𝙚 𝙘𝙤𝙢𝙥𝙤𝙣𝙚𝙣𝙩𝙨 𝙤𝙛 𝙖 𝙨𝙮𝙨𝙩𝙚𝙢𝙖𝙩𝙞𝙘 𝙖𝙥𝙥𝙧𝙤𝙖𝙘𝙝 𝙩𝙤 𝙧𝙞𝙨𝙠 & 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚
1. What you do & how you do it.
Within the insurance industry, the services & products you provide & on whose behalf, determine the need for you to be APRA authorised, AFS Licensed, Authorised Rep, Code subscriber, Distributor, Service Supplier etc.
This in turn shapes your risk profile.
Unpacking what you do & how you do it, is always the starting point in any risk & compliance framework.
2. Governance
Roles & responsibilities: whose doing what, who provides oversight & the mechanics of ‘doing & oversight’, is the next step & creates an environment within which business can be safely conducted & layers of protection.
3. Risk management
Understanding your risks & managing those risks [in 6 simple steps] within the boundaries of the firm’s risk appetite provides an internal mechanism for decision-making.
4. Licence management
For AFS Licensees, I call out licence management as a separate component. Your Licence, is, after all, your ticket to play [including any Authorised Reps].
5. Material obligations.
AFS Licence, APRA authorisation, Code & AFCA membership, Binder & Authorised Rep Agreements, Distribution & Claim service supplier arrangements all create obligations. These obligations must be identified. You can’t manage what you don’t know.
Depending on the size of the firm, I include the key control(s) within the obligations section. I find its best to have a single source of truth [manual] rather than multiple referenced documents.
6. Obligations management
This sets in place a systematic approach to managing the obligations including the sources of new/amended obligations & how these are incorporated into the framework.
7. Control testing
A control that is not tested (design & operational) is no control.
8. Monitoring & supervision
This extends to staff & AR’s & forms another layer of protection. The M&S needs to be independent, fit-for-purpose & risk-based.
9. Reporting
Data from risk & compliance registers, control testing, monitoring & supervision provides an indication of the health of the compliance system.
10. Incident & breach management
Things do go wrong. The quicker they are identified the less harm caused.
𝙍𝙞𝙨𝙠 & 𝙘𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚 𝙖𝙨𝙨𝙞𝙨𝙩𝙖𝙣𝙘𝙚
Contact me to understand how a systematic approach to risk & compliance protects your business, people & customers.